[SECURITY] Fedora 12 Update: xar-1.5.2-6.fc12

updates at fedoraproject.org updates at fedoraproject.org
Wed May 12 17:56:31 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-7631
2010-04-30 01:02:08
--------------------------------------------------------------------------------

Name        : xar
Product     : Fedora 12
Version     : 1.5.2
Release     : 6.fc12
URL         : http://code.google.com/p/xar/
Summary     : The eXtensible ARchiver
Description :
The XAR project aims to provide an easily extensible archive format. Important
design decisions include an easily extensible XML table of contents for random
access to archived files, storing the toc at the beginning of the archive to
allow for efficient handling of streamed archives, the ability to handle files
of arbitrarily large sizes, the ability to choose independent encodings for
individual files in the archive, the ability to store checksums for individual
files in both compressed and uncompressed form, and the ability to query the
table of content's rich meta-data.

--------------------------------------------------------------------------------
Update Information:

This update fixes CVE-2010-0055, an issue where xar did not properly validate
package signatures, which allows attackers to have an unspecified impact via a
modified package.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 28 2010 Matthias Saou <http://freshrpms.net/> 1.5.2-6
- Include patch to fix CVE-2010-0055 (#570678).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #570678 - CVE-2010-0055 xar: signature bypass vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=570678
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update xar' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list